Namespace-based system-user access of database platforms

ABSTRACT

A database platform authenticates a system user for access via an application to a database that is associated with a customer account of the database platform. The system user is a first object in a first account-level namespace of the customer account, and the first account-level namespace is distinct from a default account-level namespace of the customer account. The database platform sends, as the system user, a query to the database via the application. The database platform receives, as the system user, results of the query from the database, and stores, as the system user, the results of the query in a first-namespace stage, which is a second object in the first account-level namespace.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application is a continuation of U.S. patent application Ser. No.16/945,344, filed Jul. 31, 2020 and entitled “Account-Level Namespacesfor Database Platforms,” which is a continuation-in-part of U.S. patentapplication Ser. No. 16/883,565, filed May 26, 2020 and entitled“Application-Provisioning Framework for Database Platforms,” whichclaims the benefit of U.S. Provisional Patent Application No.63/027,625, filed May 20, 2020 and entitled “Application-ProvisioningFramework for Database Platforms,” all of which are hereby incorporatedby reference herein in their respective entireties.

TECHNICAL FIELD

The present disclosure relates to databases and database platforms. Insome aspects, this disclosure relates to account-level namespaces fordatabase platforms. In other aspects, this disclosure relates tonamespace-based system-user access of database platforms.

BACKGROUND

Database platforms are widely used for data storage and data access incomputing and communication contexts. With respect to architecture, adatabase platform could be an on-premises database platform, anetwork-based database platform (e.g., a cloud-based database platform),a combination of the two, and/or include another type of architecture.With respect to type of data processing, a database platform couldimplement online transactional processing (OLTP), online analyticalprocessing (OLAP), a combination of the two, and/or another type of dataprocessing. Moreover, a database platform could be or include arelational database management system (RDBMS) and/or one or more othertypes of database management systems.

In a typical implementation, a database platform includes one or moredatabases that are maintained on behalf of a customer account. Indeed, adatabase platform may include one or more databases that arerespectively maintained in association with any number of customeraccounts, as well as one or more databases that are associated with oneor more system (e.g., administrative) accounts of the database platform,one or more other databases that are used for administrative purposes,and/or one or more other databases that are maintained in associationwith one or more other organizations and/or for any other purposes. Adatabase platform may store metadata in association with the databaseplatform in general and in association with particular databases and/orparticular customer accounts as well. Metadata that is maintained by adatabase platform with respect to stored data (e.g., stored customerdata) may be referred to herein at times as “expression properties.”

Users and/or executing processes (that may be associated with, e.g., acustomer account) may, via one or more types of clients, be able tocause data to be ingested into one or more databases in the databaseplatform, and may also be able to manipulate the data, run queriesagainst the data, create materialized views (also referred to hereinsimply as “views”) of the data, modify the data, insert additional data,remove data, and/or the like. Example types of clients include webinterfaces, Java Database Connectivity (JDBC) drivers, Open DatabaseConnectivity (ODBC) drivers, other types of drivers, desktopapplications, mobile apps, and/or the like. A database platform mayphysically store database data in multiple storage units, which may bereferred to as blocks, micro-partitions, files, and/or by one or moreother names. In the present disclosure, the physical units of data thatare stored by a database platform—and that make up the content of, e.g.,tables in customer accounts—are referred to as micro-partitions. A giventable may be organized as records (e.g., rows) that each include one ormore attributes (e.g., columns). In various different implementations, adatabase platform may store metadata in micro-partitions as well.

BRIEF DESCRIPTION OF THE DRAWINGS

A more detailed understanding may be had from the following description,which is presented by way of example in conjunction with the followingdrawings, in which like reference numerals are used across the drawingsin connection with like elements.

FIG. 1 illustrates an example database platform, in accordance with atleast one embodiment.

FIG. 2 illustrates a first example customer account, in accordance withat least one embodiment.

FIG. 3 illustrates a first example method, in accordance with at leastone embodiment.

FIG. 4 illustrates an example architecture, in accordance with at leastone embodiment.

FIG. 5 illustrates a second example customer account, in accordance withat least one embodiment.

FIG. 6 illustrates a second example method, in accordance with at leastone embodiment.

FIG. 7 illustrates an example computing device, in accordance with atleast one embodiment.

DETAILED DESCRIPTION Introduction

In an implementation of a database platform, a database may berepresented as an account-level object “within” (e.g., associated with)a customer account, and the customer account may also include one ormore other account-level objects such as user objects, role objects,and/or the like. In the present disclosure, a user object may bereferred to simply as a user, a role object may be referred to simply asa role, and so forth. Additional examples of account-level objects arediscussed below. An account-level object such as a database may containone or more other objects such as tables, schemas, views, streams,tasks, and/or the like. In some embodiments, databases contain schemas,and schemas in turn contain objects such as tables, views, streams,tasks, etc. As used herein, an “account-level object” is an object thatis “inside” a customer account but is not inside another object in thecustomer account.

Disclosed herein are various embodiments of systems and methods forimplementing account-level namespaces in database platforms, as well asvarious embodiments of systems and methods for implementingnamespace-based system-user access of database platforms. In embodimentsof the present disclosure, a new account-level object-a namespace (alsoreferred to herein as an “account-level namespace”)—is introduced intocustomer accounts (and, in some cases, other accounts such asadministrative accounts, though customer accounts are the example typeof account that is primarily described herein). In some embodiments,namespaces (also referred to herein at times as namespace objects) areimplemented as “parent” objects to the one or more other “child” objects(e.g., users, roles, sub-namespaces, etc.) that are inside a givennamespace, such that those particular other objects are notaccount-level objects (though other users, roles, and/or the like stillcould be). In other embodiments, the one or more objects that are insideof a given namespace are still account-level objects alongside thenamespace with which they are associated, and of which they are stillconsidered to be inside.

In some embodiments of the present disclosure, account-level namespacesare used to guide name resolution of objects in a given customeraccount. One example embodiment takes the form of a method that includesa database platform receiving an object identifier (e.g., an objectname) from a client in association with a database session, where theclient is associated with a customer account of the database platform,and where the database session is associated with the client. The methodalso includes the database platform, in response to receiving the objectidentifier, identifying a resolution namespace for the objectidentifier, where the resolution namespace for the object identifier isa namespace that is specified in the object identifier if the objectidentifier includes a specified namespace, and where the resolutionnamespace is otherwise a current account-level namespace of the databasesession. The method also includes the database platform resolving theobject identifier (e.g., the object name) with reference to theidentified resolution namespace for the object identifier, whereresolving the object identifier includes identifying an object (e.g., adatabase) corresponding to the object identifier in the customeraccount. Thus, it is noted that, in some implementations, as describedmore fully below, a namespace can be encoded as part of an objectidentifier, in which case that specified namespace is used for resolvingthe object identifier, regardless of whether or not that specifiednamespace is the current account-level namespace of the databasesession.

The creation and use of account-level namespaces in accordance withembodiments of the present disclosure prevents name collisions thatwould otherwise occur if an object (e.g., a database) was created (orattempted to be created) with a particular name in a customer account inwhich an object (e.g., an object of the same type (i.e., anotherdatabase)) having that particular name already existed. The preventionof name collisions with respect to account-level objects relievesdevelopers of the burden of reviewing existing object names each timethey want to name a new object, and also relieves them of theinconvenience and frustration of encountering errors when namecollisions occur. Moreover, by virtue of the account-level namespaces ofthe present disclosure, the naming of objects is also simplified in thatcomplex, convoluted, account-wide naming conventions for objects arerendered unnecessary.

Furthermore, the account-level namespaces of the present disclosureprovide simplified control for developers and administrators withrespect to the visibility of and access to sets of objects. In arules-based access control (RBAC) model, various privileges can becreated that relate to visibility, access, permitted operations, and/orthe like for particular account-level namespaces (and therefore for theobjects therein). Those privileges can be selectively assigned to roles,and those roles can be selectively assigned to one or more users(including user objects associated with human users and user objectsassociated with system users, as discussed more fully below).

Additionally, the implementation of account-level namespaces inaccordance with embodiments of the present disclosure simplifiesreplication of sets of objects within a given customer account and/oracross multiple customer accounts. In some existing database-platformimplementations, after a database has been manually replicated from onecustomer account to another, one or more (and often numerous) otheraccount-level objects such as users, roles, and/or the like must thenalso be manually replicated into the second customer account. Thisprocess is time-consuming and susceptible to human error. In accordancewith at least one embodiment, however, a first namespace may contain oneor more objects such as databases, users, roles, etc., and that firstnamespace (and the one or more objects contained therein) can beconveniently replicated to, e.g., another customer account in a singleoperation (or small number of operations). Replication of account-levelnamespaces in accordance with at least one embodiment of the presentdisclosure saves time and processing resources as compared with themanual processes of prior implementations.

Moreover, in some embodiments, account-level namespaces in accordancewith embodiments of the present disclosure enable customers of adatabase platform to better serve their own customers. For example, acustomer of the database platform can create a namespace within theirown account on the database platform for each of multiple“sub-customers” (i.e., customers of the customer of the databaseplatform). This type of implementation of a so-called “multi-tenant”installation makes tasks such as management, billing, and the like lessburdensome on the customer of the database platform. Other advantages ofaccount-level namespaces in accordance with embodiments of the presentdisclosure are described herein and will be apparent to those of skillin the art having the benefit of the present disclosure.

The above-mentioned namespace-based system-user access of databaseplatforms represents one of many possible types of implementations thatare enabled by the present disclosure. One example embodiment takes theform of a method that includes a database platform authenticating asystem user for access via an application to a database associated witha customer account of the database platform, where the system user is auser object that is defined in a namespace of the customer account. Inat least one embodiment, the first namespace is distinct from a defaultnamespace of the customer account. The method also includes the databaseplatform sending, by the system user and via the application, a query tothe database that is associated in the database platform with thecustomer account. The method also includes the database platformreceiving, as the system user, results of the query from the database,and further includes the database platform storing, as the system user,the results of the query in a first-namespace stage, which is alsodefined as an object in the first namespace. A number of variations ofthis example embodiment are described herein.

As described above, one or more embodiments of the present disclosuretake the form of methods that include multiple operations. One or moreother embodiments take the form of systems (e.g., database platforms)that include at least one hardware processor and that also include oneor more computer-storage media containing instructions executable by theat least one hardware processor for causing the at least one hardwareprocessor to perform multiple operations (that may or may not correspondto operations performed in a herein-disclosed method embodiment). Stillone or more other embodiments take the form of one or morecomputer-storage media containing instructions executable by at leastone hardware processor (of, e.g., a database platform) for causing theat least one hardware processor to perform multiple operations (that,again, may or may not correspond to operations performed in aherein-disclosed method embodiment and/or operations performed by aherein-disclosed system embodiment).

Furthermore, a number of variations and permutations of embodiments aredescribed herein, and it is expressly noted that any variation orpermutation that is described in this disclosure can be implemented withrespect to any type of embodiment. For example, a variation orpermutation that is primarily described in this disclosure in connectionwith a method embodiment could just as well be implemented in connectionwith a system embodiment (e.g., a database-platform embodiment), acomputer-storage-medium (or computer-storage-media) embodiment, and/orone or more other types of embodiments. Furthermore, this flexibilityand cross-applicability of embodiments is present in spite of the useherein of any slightly different language (e.g., processes, methods,methodologies, steps, operations, functions, and/or the like) todescribe and/or characterize such embodiments and/or any element orelements thereof.

Example Database Platform

FIG. 1 illustrates an example database platform 100, in accordance withat least one embodiment. In various embodiments, the database platform100 may be used for performing one or more of the operations (e.g., oneor more of the methods) that are disclosed herein. As shown in FIG. 1,the database platform 100 includes a database manager 102, whichincludes a resource manager 104 and an execution platform 106. Thedatabase manager 102 need not be a defined physical device, though itcould be, but in general is used herein as shorthand to refer to thecombination of the resource manager 104 and the execution platform 106.The execution platform 106 may include one or more execution nodes(e.g., servers, workers, threads, and/or the like). A grouping ofexecution nodes in the execution platform 106 may be referred to hereinas a virtual warehouse (or just “warehouse” for short), and such virtualwarehouses are, in some embodiments, dynamically scalable to meetdynamically changing demands. Also depicted in FIG. 1 are a metadatastorage 108, a storage platform 110 that includes one or moredata-storage devices 112, one or more clients 114, and one or more cloudplatforms 116. In various different implementations, there could be anynumber of any of the entities that are shown in FIG. 1.

In some embodiments, all of the entities—other than the one or morecloud platforms 116—that are depicted in FIG. 1 are part of what isreferred to herein as the database platform 100, though this is not thecase in other embodiments. For example, in at least one embodiment, thedatabase platform 100 does not include any of the one or more clients114. As another example, in some embodiments, the database platform 100does not include the storage platform 110. In the embodiments that areprimarily described herein to illustrate various examples, the databaseplatform 100 includes the database manager 102 (including the resourcemanager 104 and the execution platform 106), the metadata storage 108,and the storage platform 110, and does not include any of the one ormore clients 114 or any of the one or more cloud platforms 116. It isfurther noted that the storage platform 110 could be implemented inwhole or in part on a cloud platform and still be considered part of thedatabase platform 100.

The resource manager 104 may be configured to manage a number ofdifferent types of tasks including external database tasks (e.g., queryrequests) that are received from, e.g., a client 114. The resourcemanager 104 may be coupled to any number of clients 114. A client 114may facilitate end users making data-storage and/or data-retrievalrequests, system administrators managing the database platform 100,and/or the like. In various different embodiments, a client 114 could bea web interface, a JDBC driver, an ODBC driver, a desktop application, amobile app, and/or another type of client. As shown in FIG. 1, a client114 may communicate with the database platform 100 (e.g., the resourcemanager 104 of the database manager 102) and one or more of the cloudplatforms 116. A client 114 could reside on a client-side computingdevice (not pictured) on which the client 114 interacts with one or moreclient-side applications and on which the client 114 makes use ofcertain client-side-system resources such as network interfaces, userinterfaces, memory (e.g., random access memory (RAM)), and/or the like.

As depicted in FIG. 1, the resource manager 104 is communicativelycoupled to the metadata storage 108, which in at least one embodiment isassociated with data stored throughout the database platform 100, andmay also reflect data stored on one or more of the cloud platforms 116.Indeed, in some embodiments, the metadata storage 108 includes one ormore summaries of data available in one or more local caches (of, e.g.,the resource manager 104 and/or the execution platform 106), data storedin the storage platform 110, and/or data stored in one or more of thecloud platforms 116. Additionally, the metadata storage 108 may includeinformation regarding how data is organized in one or more local caches,one or more storage platforms 110, one or more of the cloud platforms116, and/or the like.

Among other uses, the metadata storage 108 may allow systems andservices of the database platform 100 to determine whether a givenquantum of data needs to be processed (in connection with, e.g., a givenquery) without loading or accessing the actual stored data. In variousembodiments, metadata stored in the metadata storage 108 may reflect thecontents of one or more databases, one or more tables, one or morecolumns, one or more materialized views, and/or one or more othercollections of records, parts of records, and/or other data quanta. Withrespect to where the metadata storage 108 is actually stored, a separate(e.g., local) storage location (e.g., a key-value store) is used in someembodiments, while in other embodiments the metadata storage 108 ismaintained by the database platform 100 as a subset of the data storedin the storage platform 110. Other architectures are possible as well.

The resource manager 104 is also communicatively coupled to theexecution platform 106, which may provide multiple computing resourcesthat execute various tasks involving data storage, data retrieval, dataanalysis (e.g., query processing), and/or the like. In at least oneembodiment, the resource manager 104 includes a layer of code (e.g.,Java code) that is global with respect to the database platform 100,where that code layer includes instructions for performing functionssuch as compiling queries and brokering requests to one or moreexecution nodes in the execution platform 106. In some embodiments,there exists one or more instances of the execution platform 106 thatare used for executing client tasks, such as database queries, and oneor more instances of the execution platform 106 that are used forexecuting internal database tasks such as updating metadata, clusteringtables, generating materialized views, and/or the like. In some suchembodiments, there also exists one or more instances of the executionplatform 106 that are used for feature development and/or testing of thedatabase platform 100, and each such instance of the execution platform106 may be separate from each client-task instance of the executionplatform 106, such that, for example, client-task processing is notimpacted by feature-development tasks, database-platform-administrationtasks, and/or the like. Other arrangements are possible as well.

The execution platform 106 may be coupled to the one or moredata-storage devices 112 that are part of the storage platform 110,which may include—and an execution platform 106 may be capable ofcommunicating with—any number of data-storage devices 112. In someembodiments, one or more of the data-storage devices 112 are cloud-basedstorage devices located in one or more geographic locations. Forexample, one or more of the data-storage devices 112 may be part of apublic cloud infrastructure or a private cloud infrastructure. One ormore of the data-storage devices 112 may be or include hard disk drives(HDDs), solid state drives (SSDs), storage clusters, and/or any otherdata-storage technology. In some examples, the storage platform 110includes distributed file systems (such as Hadoop Distributed FileSystems (HDFSs)), object storage systems, and/or the like.

As shown in FIG. 1, the storage platform 110, including the one or moredata-storage devices 112, is decoupled from the computing resourcesassociated with the execution platform 106, the resource manager 104,and the database manager 102 generally. In an embodiment, each of aplurality of database-platform deployments includes a respective storageplatform 110 having its own respective one or more data-storage devices.That type of architecture supports dynamic changes to the databaseplatform 100 based on changing data-storage and/or data-retrieval needs,as well as changing needs of users and systems accessing the databaseplatform 100. The support of dynamic changes allows the databaseplatform 100 to scale quickly in response to changing demands on thesystems and components within the database platform 100. The decouplingof computing resources from data-storage devices supports the storage oflarge amounts of data by a given customer without requiring acorresponding large amount of computing resources being dedicated tothat customer, and also supports a significant increase in the computingresources utilized by a particular customer at a particular time withoutrequiring a corresponding increase in data-storage resources reservedfor that customer.

As a general matter, in at least some embodiments, the database platform100 can be referred to using terms such as a cloud-based data warehouse,a network-based data warehouse, or simply a data warehouse. Acloud-based data warehouse is one type of network-based data system thatcan be used for data analysis and reporting, and that includes a centralrepository of integrated data from one or more disparate sources. Acloud-based data warehouse is commonly an OLAP database that can storecurrent and historical data that can be used for creating analyticalreports for an enterprise based on data stored within databasesmaintained on behalf of the enterprise. To this end, data warehousesoften provide business-intelligence tools, tools to performextract-transform-load (ETL) tasks for ingesting data into therepository, tools to manage and retrieve metadata, and/or the like.There are other types of cloud-based data warehouses, such as OLTPdatabases, as well as data warehouses and other data systems thatoperate with characteristics of multiple types of database systems.

Any one or more of the components, devices, systems, and/or the likethat are depicted in FIG. 1 and in any of the other figures could beimplemented as one or more computing devices having an architecture thatis similar to the example computing device 700 that is described belowin connection with FIG. 7. Moreover, two or more of the entities thatare depicted in any of the figures could be combined into a singlecomponent, and any entity that is depicted as a single component in anyof the figures could instead be distributed across multiple components(e.g., distributed across multiple systems, platforms, and/or the likeat multiple geographic locations). Moreover, in particular embodiments,any one or more of the communication links depicted in FIG. 1 and in anyof the other figures could be implemented via one or moredata-communication networks, which may utilize any communicationprotocol and any type of communication medium or media. In someembodiments, the data-communication networks are a combination of two ormore data-communication networks (or sub-networks) coupled to oneanother. In various different embodiments, these communication links areimplemented using one or more of any types of communication medium ormedia and one or more of any types or examples of communicationprotocol(s).

First Example Customer Account

FIG. 2 illustrates an example customer account 200, in accordance withat least one embodiment. The database platform 100 (e.g., the databasemanager 102) may maintain the customer account 200 for a given customerof the database platform 100. The customer account 200 could bemaintained in one or more data-storage devices 112 of the storageplatform 110. Moreover, the database manager 102 may maintain metadataassociated with the customer account 200 in the metadata storage 108. Insome instances, the database platform 100 maintains multiple customeraccounts for multiple respective customers of the database platform 100.

As depicted in FIG. 2, in some embodiments, the customer account 200includes multiple objects that are also referred to in this disclosureat times as namespaces, namespace objects, account-level namespaces, andthe like. In the example that is shown in FIG. 2, the customer account200 includes a default namespace 202, a namespace 204, and a namespace206. Also as depicted, the default namespace 202 contains one or moreobjects 208, the namespace 204 contains one or more objects 210, and thenamespace 206 contains one or more objects 212. Any object 208, object210, or object 212 could be a user object (user), a role object (role),a warehouse object (warehouse, which may also be referred to as avirtual warehouse or virtual-warehouse object), a resource-monitorobject (resource monitor), an integration object (integration), adatabase object (database), or another kind of object.

A resource monitor may be an object that is used to help customers keepcosts down and avoid unexpected costs by enforcing limits on computingresources of the database platform 100 (e.g., the execution platform106) that are used by customers. In some cases, limits can be defined bytime periods (e.g., days, weeks, etc.), time durations (1 hour, 24hours, etc.), and/or the like, and may limit money spent, credits spent,and/or the like.

An integration may be an object that defines an interface between thedatabase platform 100 and one or more third-party services. Exampletypes of integrations include security integrations (for interfacingwith, e.g., third-party authentication services), storage integrations(for interfacing with, e.g., identity-and-access-management (IAM)functions of third-party storage services (e.g., cloud storageservices)), notification integrations (for interfacing with, e.g.,third-party messaging services (e.g., cloud message queueing services)),and application-programing-interface (API) integrations (for interfacingwith, e.g., third-party functions, which may also be referred to hereinas external functions). One or more other types of integrations could bedefined as well.

In some embodiments, the objects 208 in the default namespace 202 are orat least include one or more objects that are created by the customerthat is associated with the customer account 200. The objects 208 may beor at least include persisted account-level objects such as users,roles, databases, and/or the like. The objects 208 may also includepersisted child objects such as schemas, tables, views, storedprocedures, sequences, stages, streams, tasks, functions (e.g.,user-defined functions (UDFs)), and/or the like. Sequences may beobjects that are used to generate unique numbers across sessions andstatements, including concurrent statements. As used herein, a stage isan object that represents a storage location. In some embodiments,stages can be internal or external to the database platform 100.Internal stages may reside on the storage platform 110 while externalstages may reside on a cloud platform 116. Streams may be objects thatare used to track change-data-capture (CDC) information with respect to,e.g., a table. Tasks may be objects used to, e.g., automate StructuredQuery Language (SQL) statements, stored procedures, and/or the like.

Moreover, the customer account 200 could include any number ofaccount-level namespaces, including any number of temporaryaccount-level namespaces that may be respectively associated withdatabase sessions engaged in by one or more users in the customeraccount 200. Temporary account-level namespaces are further discussedbelow. By way of example and not limitation, three namespaces aredepicted in the customer account 200 in FIG. 2. In at least oneembodiment, a given one of the objects 208 and a given one of theobjects 210 could have the same name (and could be of the same type(e.g., they could both be roles)) without resulting in a name collision,since the database manager 102 may be configured to set a givennamespace as a current context for a given user and resolve object nameswithin the current context (i.e., within the current namespace), asdescribed more fully below. Thus, in such embodiments, one advantage ofusing account-level namespaces in the manner described herein is thatname collisions are avoided. In such embodiments, then, a user canchoose names for objects within a given account-level namespace withouthaving to be concerned with the possibility of name collisions withobjects that exist in the customer account 200 but external to the givennamespace.

Moreover, in at least one embodiment, the one or more objects 208 in thedefault namespace 202 are visible to one or more users defined in thedefault namespace of the account of the associated customer, whereas theone or more objects in either or both of the namespace 204 and thenamespace 206 are not. For example, the one or more objects 208 in thedefault namespace 202 may be visible to the client 114 whereas the oneor more objects 210 in the namespace 204 may not be visible to theclient 114. In at least one embodiment, a namespace-usage privilege isdefined such that a user that has been granted a role, where that rolehas been granted the namespace-usage privilege on a given namespace,would have visibility to objects that are defined in that namespace.

Example Method of Using Account-Level Namespaces for Database Platforms

FIG. 3 illustrates an example method 300, in accordance with at leastone embodiment. In various different embodiments, the method 300 couldbe performed by any computing and communication device or system of suchdevices that is suitably programmed or otherwise arranged to perform theoperations described herein. In at least one embodiment, the method 300is performed by one or more hardware processors. In some embodiments,all or part of the method 300 is performed by the database manager 102,which may involve one or more aspects of the method 300 being performedby the resource manager 104, one or more aspects of the method 300 beingperformed by the execution platform 106, and/or one or more aspects ofthe method 300 being performed by one or more other functionalcomponents of the database manager 102. By way of example and notlimitation, the method 300 is described below as being performed by thedatabase manager 102, and this description makes reference by way ofexample to other elements depicted in one or more of the other figures.

At operation 302, the database manager 102 receives an object identifierfrom a client 114 in association with a database session, where theclient 114 is associated with the customer account 200, and where thedatabase session is associated with the client 114. In some instances,the object is a standalone account-level object in the customer account200—for example, the object could be a user object, a role object, avirtual-warehouse object, a resource-monitor object, an integrationobject, a database object, or another type of account-level object.

In some instances, the object may be an account-level object with achild object (e.g., a table) also specified; in that case, the databasemanager 102 may use a parser to identify the account-level-objectidentifier. For example, the database manager 102 may receive, amongother data, a string such as “database_name+table_name” where the “+”sign is a delimiting character chosen arbitrarily for use in thisdisclosure.

It is noted that, in some implementations, a namespace can be encoded aspart of an object identifier, in which case that specified namespace is,as is also described below, used for resolving the object identifier,regardless of whether or not that specified namespace is the currentaccount-level namespace of the database session. For example, in acontext in which the current account-level namespace of a currentdatabase session is called “namespace01,” an object identifier such as“namespace02+database01” (where, again, the “+” sign is an arbitrarilychosen delimiter) may be used (in, e.g., a query), in which case thenamespace “namespace02” will be used (rather than the namespace“namespace01”) for resolving “database01.”

Returning to the example of the object identifier being“database_name+table_name,” a parser may be used to identify“database_name” as the account-level-object identifier. In some cases,the database manager 102 may receive the object identifier as part of aconnection string or other messaging related to establishing aconnection between the client 114 and the database platform 100. In thepresent disclosure, the term “connection string” is used to refer to anactual connection string but also to connection-establishment messaginggenerally. Some embodiments support reference from one namespace toobjects in another namespace using fully qualified names that mayinclude one or more such delimiting characters.

At operation 304, in response to receiving the object identifier atoperation 302, the database manager 102 identifies a resolutionnamespace for the object identifier, where the resolution namespace forthe object identifier is a namespace specified in the object identifierif the object identifier includes a specified namespace, and where theresolution namespace otherwise a current account-level namespace of thedatabase session. In some instances, the connection string specifies anamespace, in which case the database manager 102 may use that specifiednamespace as the current account-level namespace of the databasesession. In other instances, once a session has been established for theclient 114, the client 114 may issue a command to the database manager102 to set a namespace specified in the command as the currentaccount-level namespace of the database session.

In some cases, prior to receiving such a command (i.e., aset-current-namespace command), the database manager 102 may receive,from the client 114 (or a different client 114), a namespace-creationcommand for that namespace prior to receiving the set-current-namespacecommand, where the namespace-creation command specifies the name of thenamespace. In response to having received the namespace-creationcommand, the database manager 102 may have created the namespace (e.g.,the namespace 204) with the specified name. In some embodiments, a usermay need a specific privilege to be allowed by the database manager 102to create an account-level namespace. In some cases, thenamespace-creation command may come from an administrative account ofthe database platform 100. The database manager 102 may create therequested namespace 204 as an account-level namespace object in thecustomer account 200. That object may have a namespace-identifierproperty set equal to the specified name. The database manager 102 mayalso associate a pseudorandom alphanumeric or numeric identifier withthe newly created account-level-namespace object.

Moreover, it may occur during the session that the client 114 requestscreation of an object such as a database in the namespace 204. Inresponse to receiving that object-creation request, the database manager102 may create the requested object in the customer account 200, and seta namespace-identifier property of the created object equal to anidentifier of the current account-level namespace of the databasesession, which in this example is the namespace 204. Thatnamespace-identifier property of the created object could be set equalto the name or other alphanumeric or numeric identifier of the namespace204. Multiple objects in a given namespace such as the namespace 204 mayhave their respective namespace-identifier property set equal to such anamespace identifier.

The namespace 204 is an example of a persisted (i.e., non-temporary)account-level namespace. The corresponding namespace object may have asession-identifier property set equal to a null value, or may not have asession-identifier property, since the namespace 204 is, in at least oneembodiment, not associated only (e.g., uniquely) with the ongoingdatabase session. Similarly, objects in a non-temporary namespace mayhave a session-identifier property set to a null value or may not have asession-identifier property.

In some instances and in accordance with some embodiments, the databasemanager 102 creates a temporary namespace that is uniquely associatedwith the ongoing database session. The corresponding namespace objectmay have a session-identifier property set equal to a session identifierof the current database session. A temporary namespace may be used tocontain temporary objects such as temporary tables. In at least oneembodiment, when the session ends, the temporary namespace is deleted,as are any temporary objects in that temporary namespace.Temporary-namespace objects may have a session-identifier property setequal to an identifier of the ongoing session. In at least oneembodiment, names of temporary objects outrank non-temporary objectswith respect to name resolution; in at least one other embodiment, theopposite is true.

At operation 306, the database manager 102 resolves the objectidentifier (that was received from the client 114 at operation 302) withreference to the resolution namespace (that was identified at operation304 for the object identifier), where that resolution namespace is anamespace specified in the object identifier if the object identifierincludes such a specification, and is otherwise the currentaccount-level namespace of the database session. In at least oneembodiment, the resolving of the object identifier includes identifyingan object corresponding to the object identifier in the customer account200. In some instances, the object identifier is or includes an objectname, and operation 306 involves conducting a name resolution of theobject name with reference to the identified resolution namespace forthe object identifier. The name-resolution process may identify theobject corresponding to the object name in the customer account 200.

In one example, the provided account-level-object identifier correspondsto a database in the namespace 204 in the customer account 200. Theaccount-level-object identifier may be received in a query from theclient 114, where the query is directed to that database. After usingthe identifier to identify the database, the database manager 102 mayprocess the query with respect to the associated database.

Moreover, deletion of an account-level namespace can be treateddifferently in different embodiments. In at least one embodiment,deletion of an account-level namespace results in deletion of the one ormore objects contained in that account-level namespace. In some suchembodiments, the customer account 200 is the parent object with respectto account-level namespaces, and account-level namespaces are the parentobjects with respect to objects inside those namespaces.

In at least one other embodiment, deletion of an account-level namespacedoes not result in deletion of the one or more objects contained in thataccount-level namespace. In some such embodiments, the deletion of theaccount-level namespace results in the namespace-identifier property ofeach of the one or more objects (that were in that namespace)transitioning from an identifier of the account-level namespace to asecond value, which could be an identifier of the default namespace 202,a null value, or another value deemed suitable by those of skill in theart for the particular implementation. Moreover, in some suchembodiments, the customer account 200 is the parent object with respectto both account-level namespaces and the objects that are considered tobe inside those namespaces. Other implementations are possible as well.In at least one embodiment, when creating a namespace and/or during thelifetime of a namespace, users with sufficient privileges can choose avalue for a setting that controls whether or not deletion of thatnamespace will result in deletion of the objects therein.

With respect to replication of account-level namespaces, in at least oneembodiment, the database manager 102 may receive a replication request(from, e.g., a client 114) to replicate an account-level namespace suchas the namespace 204. The request could specify that the namespace 204be replicated in the customer account 200 or replicated to a differentcustomer account. In response to receiving the replication request, thedatabase manager 102 may replicate the namespace 204, where thisreplicating may involve creating a second account-level namespace thatincludes a copy of each of the one or more objects in the namespace 204.As stated, the new account-level namespace could be in the same or adifferent customer account. Thus, account-level namespaces in accordancewith embodiments of the present disclosure represent convenient packagesof objects that can be replicated as a group. The more instances andtypes of objects the source namespace (e.g., the namespace 204)includes, the greater the savings in time and frustration.

With respect to the above-mentioned multi-tenant implementations, in atleast one embodiment, the customer account 200 may be associated with afirst business entity (e.g., a company). Moreover, the namespace 204 maycorrespond to a first tenant in the customer account 200, where thefirst tenant is a first customer of the company. Furthermore, thenamespace 206 may correspond to a second tenant in the customer account200, where the second tenant is a second, different customer of thecompany. Thus, in some implementations, account-level namespaces inaccordance with embodiments of the present disclosure can serve as“mini-accounts” for customers of the company associated with thecustomer account 200. This type of installation facilitates conveniencessuch as billing tenants along namespace boundaries, and enablescustomers of the database platform 100 to create applications, services,and/or the like that they can in turn “re-sell” to their own customers.

Example Architecture for Namespace-Based System-User Access of DatabasePlatforms

FIG. 4 illustrates an example architecture 400 in which embodimentsrelated to conducting namespace-based system-user access of databaseplatforms can be carried out. Many of the elements in FIG. 4 are shownand described above in connection with FIG. 1, and therefore are notdescribed in detail here. Also, it is noted that the one or more cloudplatforms 116 that are depicted in FIG. 1 are not depicted in FIG. 4.This is not by way of limitation; it is just to make FIG. 4 lesscluttered and therefore more readable. In any given embodiment, one ofmore cloud platforms 116 could be present.

In some implementations, a database on the database platform 100 servesas a backend for one or more applications that are executing on one ormore application servers, which may reside on an applicationinfrastructure that is separate from the infrastructure of the databaseplatform 100. A given application infrastructure may, though separate,still be associated with the database platform 100. For example, thedatabase platform 100 and the application infrastructure may be managedby a common organization (e.g., a company). Other applicationinfrastructures may be managed by other organizations. On an applicationinfrastructure that is associated with the database platform 100, thedatabase platform 100 may provide one or more applications that, asexamples, access customer accounts to store data therein (e.g., storetransient data in stages defined in a given customer account), accessdata stored in customer accounts (e.g., stored in one or more databasesin a given customer account), and/or the like.

As shown in FIG. 4, the architecture 400 includes an applicationinfrastructure 402 that includes an example application 404 installedand executing thereon. The application infrastructure 402 may be orinclude a system of one or more servers, and is depicted as includingonly a single executing application: the application 404. In variousdifferent implementations, the application infrastructure 402 couldinclude any number of executing applications, and these applicationscould be of any type. In the embodiments that are primarily describedherein, the application 404 is a user-interface application that servesas a frontend for clients 114 to use in accessing respective customeraccounts on the database platform 100. Another type of application thatcould be executing on the application infrastructure 402 is an alertsapplication, which could be configured to monitor various values,tables, databases, streams, and/or the like in the database platform100, and to provide alerts to one or more clients 114 when one or moreconditions are met. Numerous other types of applications could beexecuting on the application infrastructure 402 as well. In the examplesthat are primarily described herein, the application infrastructure 402is an application infrastructure that is associated with the databaseplatform 100.

Moreover, the application infrastructure 402 could also include anentity (not pictured) that implements perimeter protection for theapplication infrastructure 402 and that may provide additional functionssuch as serving as a hypertext transfer protocol (HTTP) reverse proxy,managing incoming connections from browsers and/or apps, and/or thelike. Such an entity may also perform one or more other functions suchas load-balancing, for example. The entity may integrate withapplications in the application infrastructure 402 to provide singlesign-on (SSO) functionality.

Second Example Customer Account

FIG. 5 illustrates an example customer account 500 that can be used inconnection with, e.g., the architecture 400 of FIG. 4. The databaseplatform 100 (e.g., the database manager 102) may maintain the customeraccount 500 for a given customer of the database platform 100. Thecustomer account 500 could be maintained in one or more of thedata-storage devices 112 of the storage platform 110. Moreover, thedatabase manager 102 may maintain metadata associated with the customeraccount 500 in, e.g., the metadata storage 108. In some embodiments, thedatabase platform 100 maintains multiple customer accounts for multiplerespective customers of the database platform 100.

As depicted in FIG. 5, the customer account 500 includes multipleaccount-level namespaces: a default namespace 502 and an applicationnamespace 504. The default namespace 502 includes one or moredefault-namespace objects 506, and the application namespace 504includes one or more application-namespace objects 508. Anydefault-namespace object 506 and any application-namespace object 508could be any type of object, with some examples including users, roles,privileges, databases, and the like. In particular with respect to theapplication-namespace objects 508, those could include, as examples, oneor more application-specific users, one or more application-specificroles for the one or more application-specific users and/or for one ormore other users, one or more application-specific databases, and/or thelike.

The customer account 500 could include any number of account-levelnamespaces, including any number of temporary namespaces respectivelyassociated with database sessions engaged in by one or more clients 114in connection with the customer account 500. Each such database sessionmay have a namespace-identifier property that identifies theaccount-level namespace in which the associated user (that is conductingthe database session) is defined. Moreover, the application 404 mayprovision for itself (e.g., based on communication from the databaseplatform 100) one or more resources (e.g., users, credentials, roles,accounts, and/or the like) for clients 114 associated with the customeraccount 500 to use, in accordance with the particular functioning of theapplication. The default namespace 502 and the application namespace 504may each be represented by a respective account-level namespace objectin the customer account 500. In some implementations, the account-levelnamespace object for the application namespace 504 is not visible to oneor more users (e.g., one or more users defined in the default namespace502). Moreover, the application 404 itself may be represented by anaccount-level application object in the default namespace 502, such thatthe account-level application object is visible to users defined in thedefault namespace 502. Other implementations are possible as well.

Furthermore, in some embodiments, the database platform 100 implementsaccount-level application namespaces on a per-application-vendor basis.In such embodiments, if a given application vendor implemented multipleapplications in their respective vendor-specific application namespace,then objects in that vendor-specific application namespace may bevisible across those multiple applications. An organization (e.g., acompany) that manages both the database platform 100 and the applicationinfrastructure 402 could be considered to be an application vendor. Insome embodiments, account-level application namespaces are implementedon a per-application basis. In some such embodiments, objects within agiven application namespace could only be visible to the one applicationthat is associated with that given application namespace, depending onthe privileges granted or not granted to users defined outside of thatexample application namespace. In some embodiments, all of the objects(users, roles, databases, etc.) that the application 404 uses inconnection with the customer account 500 are defined in the applicationnamespace 504; that is, in some embodiments, the application 404 doesnot access any objects that are defined in the customer account 500other than the one or more application-namespace objects 508, which aredefined in the application namespace 504.

As described above, in some embodiments, the application namespace 504is represented as an account-level namespace object in the customeraccount 500. In some such embodiments, that object is not visible to theassociated customer. The namespace object may be created and owned by arole that is referred to herein as the app-admin role, which is anadministrative role with respect to the application 404 and theapplication namespace 504 in the described examples. The app-admin rolemay be defined within the application namespace 504 to, among otherbenefits, avoid name collisions with any roles that are defined outsideof the application namespace 504 (e.g., in another namespace such as thedefault namespace 502). In at least some embodiments, the app-admin roleis not owned by an administrative role that exists for the customer inthe customer account 500 (e.g., in the default namespace 502).

Indeed, in some embodiments, the above-described app-admin role is notvisible to users and other objects defined in the default namespace 502,though this is optional and could be configurable. A support functionmay be implemented such that the app-admin role can be temporarilygranted to the customer's administrative role in instances in which thecustomer needs to, e.g., address an issue that requires the accessusually reserved for the app-admin role. As a general matter, making theapp-admin role (and the application namespace 504 generally) not visibleto objects in the default namespace 502 can help to protect one or moreof the application-namespace objects 508 such as configuration tablesand the like, where changes to such objects could have unintended and/orundesired consequences to the customer account 500. For example, somesuch changes could leave the customer account 500 in an unstable state.

Because they are in different account-level namespaces, a given one ofthe default-namespace objects 506 and a given one of theapplication-namespace objects 508 could have the same name (and be ofthe same type, e.g., they could both be users) without causing a namecollision, since the database manager 102 may be configured to set agiven namespace as a current context for a given user and resolve objectnames within the current context (i.e., within the current account-levelnamespace). Thus, in such embodiments, an advantage of usingaccount-level namespaces in the manner described herein in connectionwith embodiments of the present disclosure is that name collisions areavoided. Accordingly, in such embodiments, a developer of a givenapplication can choose names for objects without having to be concernedwith the possibility of name collisions with objects that exist in thecustomer account 500 but external to the application namespace 504(e.g., objects that exist in the default namespace 502).

Example Method of Namespace-Based System-User Access of a DatabasePlatform

In at least one embodiment, the application 404 may use what is referredto herein as a “system user” (i.e., a programmatic, automated user) toaccess the data in the customer account 500 on the database platform100. This may be thought of as the application 404 accessing thedatabase platform 100 as itself. FIG. 6 illustrates an example method600 in which operations of this sort are carried out. In variousdifferent embodiments, the method 600 could be performed by anycomputing and communication device or system of such devices that issuitably programmed or otherwise arranged to perform the operationsdescribed herein. In at least one embodiment, the method 600 isperformed by one or more processors. In some embodiments, all or part ofthe method 600 is performed by the database manager 102, which mayinvolve one or more aspects of the method 600 being performed by theresource manager 104, one or more aspects of the method 600 beingperformed by the execution platform 106, and/or one or more aspects ofthe method 600 being performed by one or more other functionalcomponents of the database manager 102. By way of example and notlimitation, the method 600 is described below as being performed by thedatabase manager 102, and this description makes reference by way ofexample to other elements depicted in one or more of the other figures.

At operation 602, the database manager 102 authenticates a system userfor access via an application to a database associated with a customeraccount of the database platform. In this example, the application isthe application 404 and the customer account is the customer account500. In at least one embodiment, the system user is an object that isdefined in the application namespace 504. That is, in at least oneembodiment, the system user is one of the application-namespace objects508. As mentioned above, the system user is, in at least one embodiment,a programmatic, automated user (as contrasted with a user object that isassociated with a human user, for example).

Authentication credentials may have been provisioned for the systemuser, and the system user may use those credentials to open a sessionvia the application 404 with the database platform 100. In at least oneembodiment, at a time when the application 404 was provisioned for thecustomer account 500, credentials may have been created and roles mayhave been granted to the associated clients. The application 404 couldthen, as further described by way of example below, use thosecredentials and roles to connect to the database platform 100 to performoperations on the customer account 500, based on the privileges grantedat provisioning time. Other implementations are possible as well.

The above-mentioned session may be created by way of a 2-leggedauthentication flow using, e.g., OAuth. In an embodiment, theapplication 404 uses the system user's identity to connect to thedatabase platform 100. An example authentication flow may include theapplication 404 providing its credentials (e.g., an application-clientidentifier (e.g., username) and secret (e.g., password)) to the databaseplatform 100, which may then return an access token (e.g., an OAuthAccess Token) to the application 404. The application 404 may then usethat access token when opening a connection with the database platform100, which may return a session token to the application 404. Thatsession token may have the identity of the system user embedded therein.The application 404 may then conduct the session using the issuedsession token.

That 2-legged authentication flow may be different from anauthentication flow that a user object associated with a human user mayuse to authenticate to the database platform 100 via the sameapplication 404. When accessing the database platform 100 via theapplication 404, the user may engage in what is known as a 3-leggedauthentication flow using, e.g., OAuth. In this 3-legged authenticationflow, which may also be referred to as an SSO flow, the user accessesthe application 404. The application 404 may then redirect the user tothe database platform 100, which may prompt the user to provide theuser's credentials and in return provide the user (via, e.g., a client114) with a code. The database platform 100 may then redirect thatclient 114 back to the application 404, at which point the client 114may provide that code to the database platform 100.

Further as part of the example 3-legged authentication flow, theapplication 404 may then provide that code as well as the credentials(e.g., user identifier and password or other secret) of the application404 to the database platform 100, which may then return an access token(e.g., an OAuth Access Token) to the application 404. The application404 may then use that access token to open a connection with thedatabase platform 100, which may then issue a session token to theapplication 404, where that session token has the identity of the userembedded in it. The application 404 may then use that session token toaccess the database platform 100 during the associated session, whichthe database platform 100 may bind to the user identity and therefore tothe default namespace 502 in which that user object was defined. If theuser object for that user is defined in a different account-levelnamespace, the database platform 100 may bind the session to thataccount-level namespace instead. During the session, the user may, viathe client 114, issue queries, receive results, and the like.

Returning to the example in which the system user is accessing thedatabase platform 100 via the application 404, in at least oneembodiment, following the above-described 2-legged authentication flow,the system user may then be able to perform one or more databaseoperations directly on the data maintained for the customer account 500by the database platform 100. These database operations could includerunning queries, receiving results, downloading results of queriesperformed by other users, and/or the like. The session may be bound tothe system user and therefore to the application namespace 504. Ininstances in which the system user is defined in another account-levelnamespace such as the default namespace 502 or a different account-levelnamespace, the session may be bound to the account-level namespace inwhich the system user is defined. As described above, in someembodiments, the application-namespace objects 508 in the applicationnamespace 504 are not visible to the default-namespace object 506 in thedefault namespace 502. Furthermore, in at least one embodiment, thesystem user could use an object identifier that specifies the name of anamespace other than the application namespace 504, in which case thenamespace that is specified in that particular object identifier wouldbe used to resolve the object, further taking into account anyfurther-specified object-identifier information; in at least one suchembodiment, that described resolution is contingent on the system userhaving corresponding privileges such as a usage privilege on that othernamespace, a usage privilege on the referenced object, and/or the like.

At operation 604, the database manager 102 sends, as the system user viathe application 404, a query to the database that is associated in thedatabase platform 100 with the customer account 500. At operation 606,the database manager 102 receives, as the system user, results of thequery from the database. At operation 608, the database manager 102stores, as the system user, the results of the query in a stage in theapplication namespace 504. That is, in this example, the stage is one ofthe application-namespace objects 508 in the application namespace 504.In various different embodiments, the database manager 102 may conduct,as the system user, a database session with respect to a databaseassociated with the customer account 200. Within such a databasesession, the system user may conduct one or more database transactionson the database, where the one or more database transactions includestoring data, causing ingestion of data, removing data, modifying data,inserting data, running one or more queries on the data (such as thequery of operation 604, operation 606, and operation 608, for example),creating one or more materialized views, and/or the like.

In some cases, after a human user (or any other user such as anothersystem user) performs a given query and receives results, the systemuser may detect (e.g., may be notified by the database platform 100, ormay poll for such events, and/or the like) that a user accountassociated with that other user has been used to perform that query andreceive query results of that query. Upon making this detection, thesystem user may open a session, download those same results, and storethem in a stage in the application namespace 504. The system user may,depending on the role granted to it and the privileges granted to thatrole, be able to create and/or modify the schema of tables, tasks,stored procedures, and/or one or more other of the application-namespaceobject 508 in the application namespace 504 in the customer account 500.

In some embodiments, there is only one type of user object, and bothhuman users and system users are instances of that type. In otherembodiments, there are different user-object types for human users andsystem (e.g., app-instance) users. A system user may be able to requesta Uniform Resource Locator (URL) for a given stage in the customeraccount 500, and then use that URL to access the given stage and storedata there. The data that the system user stores in one or more stagesin the application namespace 504 may be made accessible to one or morehuman users via a dashboard or other type of user interface of theapplication 404. In some cases, the system user may run one or morequeries (that, e.g., take a long time) overnight, store the results ofsuch one or more queries in, e.g., a stage in the application namespace504, and provide access to those results (e.g., make those resultsavailable) via an interface such as the aforementioned dashboard. Otherimplementations are possible as well.

Example Computing Device

FIG. 7 illustrates an example computing device 700, in accordance withat least one embodiment. In some embodiments, the computing device 700is used to implement one or more of the systems and components discussedherein. Further, the computing device 700 may interact with any of thesystems and components described herein. Accordingly, the computingdevice 700 may be used to perform various procedures and tasks, such asthose discussed herein. The computing device 700 can function as aserver, a client, or any other computing entity. The computing device700 can be any of a wide variety of computing devices, such as a desktopcomputer, a notebook computer, a server computer, a handheld computer, amobile device, a tablet, and/or the like.

In the depicted embodiment, the computing device 700 includes one ormore processor(s) 702, one or more memory device(s) 704, one or moreinterface(s) 706, one or more mass storage device(s) 708, and one ormore input/output device(s) 710, all of which are coupled to a bus 714.The processor(s) 702 includes one or more processors or controllers thatexecute instructions stored in the memory device(s) 704 and/or the massstorage device(s) 708.

The memory device(s) 704 can include various computer-storage media,such as volatile memory (e.g., random access memory (RAM)) and/ornonvolatile memory (e.g., read-only memory (ROM)). The memory device(s)704 may also include rewritable ROM, such as Flash memory. Theprocessor(s) 702 may also include various types of computer-storagemedia, such as cache memory.

The interface(s) 706 may include various interfaces that allow thecomputing device 700 to interact with other systems, devices, computingenvironments, and/or the like. Example interface(s) 706 include anynumber of different network interfaces, such as interfaces to local areanetworks (LANs), wide area networks (WANs), wireless networks, theInternet, and/or the like.

The mass storage device(s) 708 may include various computer-storagemedia, such as magnetic tapes, magnetic disks, optical disks,solid-state memory (e.g., Flash memory), and so forth. Various drivesmay also be included in the mass storage device(s) 708 to enable readingfrom and/or writing to the various computer-storage media. The massstorage device(s) 708 may include removable media and/or non-removablemedia.

The input/output device(s) 710 may include various devices that allowdata and/or other information to be input to and/or retrieved from thecomputing device 700. Example input/output device(s) 710 includecursor-control devices, keyboards, keypads, microphones, monitors orother display devices, speakers, printers, network interface cards,modems, lenses, CCDs or other image-capture devices, and the like.

The bus 714 allows the processor(s) 702, the memory device(s) 704, theinterface(s) 706, the mass storage device(s) 708, and the input/outputdevice(s) 710 to communicate with one another, as well as with otherdevices or components that may be coupled to the bus 714. The bus 714represents one or more of several types of bus structures, such as asystem bus, a PCI bus, an IEEE 1394 bus, a USB bus, and/or the like. Insome examples, the bus 714 includes one or more network connections.

For purposes of illustration, programs and other executable programcomponents are shown herein as discrete blocks, although it isunderstood that such programs and components may reside at various timesin different storage components of the computing device 700 and areexecuted by the processor(s) 702. Alternatively, the systems andprocedures described herein can be implemented in hardware, or using acombination of hardware and software and/or firmware. For example, oneor more application specific integrated circuits (ASICs) can beprogrammed to carry out one or more of the systems and proceduresdescribed herein.

Executable Instructions and Computer-Storage Medium/Media

The various memories may store one or more sets of instructions 712 anddata structures (e.g., software) embodying or utilized by any one ormore of the methodologies or functions described herein. Theseinstructions 712, when executed by the processor(s) 702, cause variousoperations to implement the disclosed embodiments.

As used herein, the terms “computer-storage medium (and media),”“machine-storage medium (and media),” and “device-storage medium (andmedia)” mean the same thing and may be used interchangeably in thisdisclosure. The terms refer to a single storage device or multiplestorage devices and/or media (e.g., a centralized or distributeddatabase, and/or associated caches and servers) that store executableinstructions and/or data. The terms shall accordingly be taken toinclude, but not be limited to, solid-state memories as well as opticaland magnetic media, including memory internal or external to processors.Specific examples of computer-storage media, machine-storage media,and/or device-storage media include non-volatile memory, include by wayof example semiconductor memory devices, e.g., erasable programmableread-only memory (EPROM), electrically erasable programmable read-onlymemory (EEPROM), field-programmable gate arrays (FPGAs), and flashmemory devices; magnetic disks such as internal hard disks and removabledisks; magneto-optical disks; and CD-ROM and DVD-ROM disks. The terms“computer-storage medium (and media),” “machine-storage medium (andmedia),” and “device-storage medium (and media)” specifically excludecarrier waves, modulated data signals, and other such media, at leastsome of which are covered under the term “transmission medium (andmedia)” discussed below.

Transmission Medium/Media

In various example embodiments, any network or portion of a networkdescribed herein may be an ad hoc network, an intranet, an extranet, avirtual private network (VPN), a local-area network (LAN), a wirelessLAN (WLAN), a wide-area network (WAN), a wireless WAN (WWAN), ametropolitan-area network (MAN), the Internet, a portion of theInternet, a portion of the public switched telephone network (PSTN), aplain old telephone service (POTS) network, a cellular telephonenetwork, a wireless network, a Wi-Fi network, another type of network,or a combination of two or more such networks. For example, any networkor portion of a network described herein may include a wireless orcellular network, and one or more utilized couplings may be CodeDivision Multiple Access (CDMA) connections, Global System for Mobilecommunications (GSM) connections, or another type of cellular orwireless coupling. In this example, a coupling may implement any of avariety of types of data-transfer technology, such as Single CarrierRadio Transmission Technology (1×RTT), Evolution-Data Optimized (EVDO)technology, General Packet Radio Service (GPRS) technology, EnhancedData rates for GSM Evolution (EDGE) technology, third GenerationPartnership Project (3GPP) including 3G, fourth generation wireless (4G)networks, Universal Mobile Telecommunications System (UMTS), High-SpeedPacket Access (HSPA), Worldwide Interoperability for Microwave Access(WiMAX), Long Term Evolution (LTE) standard, others defined by variousstandard-setting organizations, other long-range protocols, and/or otherdata-transfer technology.

The instructions 712 may be transmitted or received over a network usinga transmission medium via a network interface device (e.g., a networkinterface component) and utilizing any one of a number of well-knowntransfer protocols (e.g., hypertext transfer protocol (HTTP)).Similarly, the instructions 712 may be transmitted or received using atransmission medium via a coupling (e.g., a peer-to-peer coupling) toone or more devices. The terms “transmission medium (and media)” and“signal medium (and media)” mean the same thing and may be usedinterchangeably in this disclosure. The terms “transmission medium (andmedia)” and “signal medium (and media)” shall be taken to include anyintangible medium that is capable of storing, encoding, or carrying theinstructions 712 for execution by the computing device 700, and includedigital or analog communications signals or other intangible media tofacilitate communication of such software. Hence, the terms“transmission medium (and media)” and “signal medium (and media)” shallbe taken to include any form of modulated data signal, carrier wave, andso forth. The term “modulated data signal” means a signal that has oneor more of its characteristics set or changed in such a manner as toencode information in the signal.

Computer-Readable Medium/Media

The terms “computer-readable medium (and media),” “machine-readablemedium (and media),” and “device-readable medium (and media)” mean thesame thing and may be used interchangeably in this disclosure. The termsare defined to include both computer-storage media and transmissionmedia. Thus, the terms include both storage devices and storage media aswell as carrier waves and modulated data signals.

Examples of Embodiments

Following is a list of some examples of embodiments.

Example 1 is a method that includes receiving, by a database platformthat includes at least one hardware processor, an object identifier froma client in association with a database session, the client beingassociated with a customer account of the database platform, thedatabase session being associated with the client; identifying, by thedatabase platform in response to receiving the object identifier, aresolution namespace for the object identifier, the resolution namespacefor the object identifier being a namespace specified in the objectidentifier if the object identifier includes a specified namespace, theresolution namespace otherwise being a current account-level namespaceof the database session; and resolving, by the database platform, theobject identifier with reference to the identified resolution namespacefor the object identifier, the resolving of the object identifierincluding identifying an object corresponding to the object identifierin the customer account.

Example 2 is the method of Example 1, where the object includes (e.g.,is) an account-level object in the customer account.

Example 3 is the method of Example 2, where the account-level objectincludes a database object that is associated with a database in thecustomer account; receiving the object identifier includes receiving aquery directed to the database, where the query includes the objectidentifier; the identifying of the object corresponding to the objectidentifier in the customer account includes identifying the databaseobject; and the method further includes processing the query withrespect to the associated database.

Example 4 is the method of any of the Examples 1-3, further includingreceiving, from the client in association with the database session, aset-current-namespace command to set a namespace specified in theset-current-namespace command as the current account-level namespace ofthe database session; and setting, in response to receiving theset-current-namespace command, the specified namespace as the currentaccount-level namespace of the database session.

Example 5 is the method of any of the Examples 1-4, where a namespaceobject in the customer account represents the current account-levelnamespace of the database session.

Example 6 is the method of Example 5, where the namespace objectincludes a namespace identifier; and the current account-level namespaceof the database session contains one or more objects, each such objecthaving a namespace-identifier property set equal to the namespaceidentifier.

Example 7 is the method of any of the Examples 1-6, where the customeraccount includes a first account-level namespace; the firstaccount-level namespace contains one or more objects; and deletion ofthe first account-level namespace results in deletion of the one or moreobjects contained in the first account-level namespace.

Example 8 is the method of any of the Examples 1-7, where the customeraccount includes a first account-level namespace; the firstaccount-level namespace contains one or more objects; and deletion ofthe first account-level namespace does not result in deletion of the oneor more objects contained in the first account-level namespace.

Example 9 is the method of any of the Examples 1-8, where the customeraccount includes a first account-level namespace; the firstaccount-level namespace contains one or more objects; and the methodfurther includes receiving a replication request to replicate the firstaccount-level namespace; and in response to receiving the replicationrequest, replicating the first account-level namespace, the replicatingof the first account-level namespace including creating a secondaccount-level namespace, the second account-level namespace includingcopies of the one or more objects.

Example 10 is the method of any of the Examples 1-9, where the customeraccount is associated with a first business entity; the customer accountincludes a first namespace corresponding to a first tenant in thecustomer account, the first tenant including (e.g., being) a firstcustomer of the first business entity; and the customer account furtherincludes a second namespace corresponding to a second tenant in thecustomer account, the second tenant including (e.g., being) a secondcustomer of the first business entity.

Example 11 is a database platform that includes at least one hardwareprocessor; and one or more computer-storage media containinginstructions executable by the at least one hardware processor forcausing the at least one hardware processor to perform operationsincluding receiving an object identifier from a client in associationwith a database session, the client being associated with a customeraccount of the database platform, the database session being associatedwith the client; identifying, in response to receiving the objectidentifier, a resolution namespace for the object identifier, theresolution namespace for the object identifier being a namespacespecified in the object identifier if the object identifier includes aspecified namespace, the resolution namespace otherwise being a currentaccount-level namespace of the database session; and resolving theobject identifier with reference to the identified resolution namespacefor the object identifier, the resolving of the object identifierincluding identifying an object corresponding to the object identifierin the customer account.

Example 12 is the database platform of Example 11, where the objectincludes (e.g., is) an account-level object in the customer account.

Example 13 is the database platform of Example 12, where theaccount-level object includes a database object that is associated witha database in the customer account; receiving the object identifierincludes receiving a query directed to the database, where the queryincludes the object identifier; the identifying of the objectcorresponding to the object identifier in the customer account includesidentifying the database object; and the operations further includeprocessing the query with respect to the associated database.

Example 14 is the database platform of any of the Examples 11-13, theoperations further including receiving, from the client in associationwith the database session, a set-current-namespace command to set anamespace specified in the set-current-namespace command as the currentaccount-level namespace of the database session; and setting, inresponse to receiving the set-current-namespace command, the specifiednamespace as the current account-level namespace of the databasesession.

Example 15 is the database platform of any of the Examples 11-14, wherea namespace object in the customer account represents the currentaccount-level namespace of the database session.

Example 16 is the database platform of Example 15, where the namespaceobject includes a namespace identifier; and the current account-levelnamespace of the database session contains one or more objects, eachsuch object having a namespace-identifier property set equal to thenamespace identifier.

Example 17 is the database platform of any of the Examples 11-16, wherethe customer account includes a first account-level namespace; the firstaccount-level namespace contains one or more objects; and deletion ofthe first account-level namespace results in deletion of the one or moreobjects contained in the first account-level namespace.

Example 18 is the database platform of any of the Examples 11-17, wherethe customer account includes a first account-level namespace; the firstaccount-level namespace contains one or more objects; and deletion ofthe first account-level namespace does not result in deletion of the oneor more objects contained in the first account-level namespace.

Example 19 is the database platform of any of the Examples 11-18, wherethe customer account includes a first account-level namespace; the firstaccount-level namespace contains one or more objects; and the operationsfurther include receiving a replication request to replicate the firstaccount-level namespace; and in response to receiving the replicationrequest, replicating the first account-level namespace, the replicatingof the first account-level namespace including creating a secondaccount-level namespace, the second account-level namespace includingcopies of the one or more objects.

Example 20 is the database platform of any of the Examples 11-19, wherethe customer account is associated with a first business entity; thecustomer account includes a first namespace corresponding to a firsttenant in the customer account, the first tenant including (e.g., being)a first customer of the first business entity; and the customer accountfurther includes a second namespace corresponding to a second tenant inthe customer account, the second tenant including (e.g., being) a secondcustomer of the first business entity.

Example 21 is one or more computer-storage media containing instructionsexecutable by at least one hardware processor (of, e.g., a databaseplatform) for causing the at least one hardware processor to performoperations including receiving an object identifier from a client inassociation with a database session, the client being associated with acustomer account of a database platform, the database session beingassociated with the client; identifying, in response to receiving theobject identifier, a resolution namespace for the object identifier, theresolution namespace for the object identifier being a namespacespecified in the object identifier if the object identifier includes aspecified namespace, the resolution namespace otherwise being a currentaccount-level namespace of the database session; and resolving theobject identifier with reference to the identified resolution namespacefor the object identifier, the resolving of the object identifierincluding identifying an object corresponding to the object identifierin the customer account.

Example 22 is the one or more computer-storage media of Example 21,where the object includes (e.g., is) an account-level object in thecustomer account.

Example 23 is the one or more computer-storage media of Example 22,where the account-level object includes a database object that isassociated with a database in the customer account; receiving the objectidentifier includes receiving a query directed to the database, wherethe query includes the object identifier; the identifying of the objectcorresponding to the object identifier in the customer account includesidentifying the database object; and the operations further includeprocessing the query with respect to the associated database.

Example 24 is the one or more computer-storage media of any of theExamples 21-23, the operations further including receiving, from theclient in association with the database session, a set-current-namespacecommand to set a namespace specified in the set-current-namespacecommand as the current account-level namespace of the database session;and setting, in response to receiving the set-current-namespace command,the specified namespace as the current account-level namespace of thedatabase session.

Example 25 is the one or more computer-storage media of any of theExamples 21-24, where a namespace object in the customer accountrepresents the current account-level namespace of the database session.

Example 26 is the one or more computer-storage media of Example 25,where the namespace object includes a namespace identifier; and thecurrent account-level namespace of the database session contains one ormore objects, each such object having a namespace-identifier propertyset equal to the namespace identifier.

Example 27 is the one or more computer-storage media of any of theExamples 21-26, where the customer account includes a firstaccount-level namespace; the first account-level namespace contains oneor more objects; and deletion of the first account-level namespaceresults in deletion of the one or more objects contained in the firstaccount-level namespace.

Example 28 is the one or more computer-storage media of any of theExamples 21-27, where the customer account includes a firstaccount-level namespace; the first account-level namespace contains oneor more objects; and deletion of the first account-level namespace doesnot result in deletion of the one or more objects contained in the firstaccount-level namespace.

Example 29 is the one or more computer-storage media of any of theExamples 21-28, where the customer account includes a firstaccount-level namespace; the first account-level namespace contains oneor more objects; and the operations further include receiving areplication request to replicate the first account-level namespace; andin response to receiving the replication request, replicating the firstaccount-level namespace, the replicating of the first account-levelnamespace including creating a second account-level namespace, thesecond account-level namespace including copies of the one or moreobjects.

Example 30 is the one or more computer-storage media of any of theExamples 21-29, where the customer account is associated with a firstbusiness entity; the customer account includes a first namespacecorresponding to a first tenant in the customer account, the firsttenant including (e.g., being) a first customer of the first businessentity; and the customer account further includes a second namespacecorresponding to a second tenant in the customer account, the secondtenant including (e.g., being) a second customer of the first businessentity.

Example 31 is a method that includes authenticating, by a databaseplatform that includes at least one hardware processor, a system userfor access via an application to a database associated with a customeraccount of the database platform, the system user being a first objectin a first account-level namespace of the customer account, the firstaccount-level namespace being distinct from a default account-levelnamespace of the customer account; sending, by the system user via theapplication, a query to the database that is associated in the databaseplatform with the customer account; receiving, as the system user,results of the query from the database; and storing, as the system user,the results of the query in a first-namespace stage, the first-namespacestage being a second object in the first account-level namespace.

Example 32 is the method of Example 31, where authenticating the systemuser for access via the application to the database includes providingcredentials for the system user from the application to the databaseplatform.

Example 33 is the method of either Example 31 or Example 32, whereobjects in the first account-level namespace are not visible to objectsin the default account-level namespace.

Example 34 is the method of any of the Examples 31-33, further includingconducting, as the system user, a database session with respect to thedatabase, the conducting of the database session including conductingone or more database transactions on the database, the conducting of theone or more database transactions on the database including the sendingof the query to the database.

Example 35 is the method of Example 34, where the database session isbound to the system user and to the first account-level namespace.

Example 36 is the method of any of the Examples 31-35, further includingdetecting that a first user in the customer account has performed asecond query and received second-query results, the first user being anobject in the default account-level namespace; connecting as the systemuser to the database platform to open a database session; downloadingthe second-query results from the database; and storing the second-queryresults in the first-namespace stage.

Example 37 is the method of Example 36, further including providingaccess to the second-query results to one or more users via a userinterface of the application.

Example 38 is the method of any of the Examples 31-37, further includingproviding access to the results of the query to one or more users via auser interface of the application.

Example 39 is the method of any of the Examples 31-38, further includingmodifying, as the system user, one or more objects in the firstaccount-level namespace.

Example 40 is the method of any of the Examples 31-39, where the systemuser has granted thereto an administrative role for the application, theadministrative role for the application not being owned by anadministrative role for the customer account.

Example 41 is a database platform that includes at least one hardwareprocessor; and one or more computer-storage media containinginstructions executable by the at least one hardware processor forcausing the at least one hardware processor to perform operationsincluding authenticating a system user for access via an application toa database associated with a customer account of the database platform,the system user being a first object in a first account-level namespaceof the customer account, the first account-level namespace beingdistinct from a default account-level namespace of the customer account;sending, by the system user via the application, a query to the databasethat is associated in the database platform with the customer account;receiving, as the system user, results of the query from the database;and storing, as the system user, the results of the query in afirst-namespace stage, the first-namespace stage being a second objectin the first account-level namespace.

Example 42 is the database platform of Example 41, where authenticatingthe system user for access via the application to the database includesproviding credentials for the system user from the application to thedatabase platform.

Example 43 is the database platform of either Example 41 or Example 42,where objects in the first account-level namespace are not visible toobjects in the default account-level namespace.

Example 44 is the database platform of any of the Examples 41-43, theoperations further including conducting, as the system user, a databasesession with respect to the database, the conducting of the databasesession including conducting one or more database transactions on thedatabase, the conducting of the one or more database transactions on thedatabase including the sending of the query to the database.

Example 45 is the database platform of Example 44, where the databasesession is bound to the system user and to the first account-levelnamespace.

Example 46 is the database platform of any of the Examples 41-45, theoperations further including detecting that a first user in the customeraccount has performed a second query and received second-query results,the first user being an object in the default account-level namespace;connecting as the system user to the database platform to open adatabase session; downloading the second-query results from thedatabase; and storing the second-query results in the first-namespacestage.

Example 47 is the database platform of Example 46, the operationsfurther including providing access to the second-query results to one ormore users via a user interface of the application.

Example 48 is the database platform of any of the Examples 41-47, theoperations further including providing access to the results of thequery to one or more users via a user interface of the application.

Example 49 is the database platform of any of the Examples 41-48, theoperations further including modifying, as the system user, one or moreobjects in the first account-level namespace.

Example 50 is the database platform of any of the Examples 41-49, wherethe system user has granted thereto an administrative role for theapplication, the administrative role for the application not being ownedby an administrative role for the customer account.

Example 51 is one or more computer-storage media containing instructionsexecutable by at least one hardware processor for causing the at leastone hardware processor to perform operations including authenticating asystem user for access via an application to a database associated witha customer account of a database platform, the system user being a firstobject in a first account-level namespace of the customer account, thefirst account-level namespace being distinct from a defaultaccount-level namespace of the customer account; sending, by the systemuser via the application, a query to the database that is associated inthe database platform with the customer account; receiving, as thesystem user, results of the query from the database; and storing, as thesystem user, the results of the query in a first-namespace stage, thefirst-namespace stage being a second object in the first account-levelnamespace.

Example 52 is the one or more computer-storage media of Example 51,where authenticating the system user for access via the application tothe database includes providing credentials for the system user from theapplication to the database platform.

Example 53 is the one or more computer-storage media of either Example51 or Example 52, where objects in the first account-level namespace arenot visible to objects in the default account-level namespace.

Example 54 is the one or more computer-storage media of any of theExamples 51-53, the operations further including conducting, as thesystem user, a database session with respect to the database, theconducting of the database session including conducting one or moredatabase transactions on the database, the conducting of the one or moredatabase transactions on the database including the sending of the queryto the database.

Example 55 is the one or more computer-storage media of Example 54,where the database session is bound to the system user and to the firstaccount-level namespace.

Example 56 is the one or more computer-storage media of any of theExamples 51-55, the operations further including detecting that a firstuser in the customer account has performed a second query and receivedsecond-query results, the first user being an object in the defaultaccount-level namespace; connecting as the system user to the databaseplatform to open a database session; downloading the second-queryresults from the database; and storing the second-query results in thefirst-namespace stage.

Example 57 is the one or more computer-storage media of Example 56, theoperations further including providing access to the second-queryresults to one or more users via a user interface of the application.

Example 58 is the one or more computer-storage media of any of theExamples 51-57, the operations further including providing access to theresults of the query to one or more users via a user interface of theapplication.

Example 59 is the one or more computer-storage media of any of theExamples 51-58, the operations further including modifying, as thesystem user, one or more objects in the first account-level namespace.

Example 60 is the one or more computer-storage media of any of theExamples 51-59, where the system user has granted thereto anadministrative role for the application, the administrative role for theapplication not being owned by an administrative role for the customeraccount.

To promote an understanding of the principles of the present disclosure,various embodiments are illustrated in the drawings. The embodimentsdisclosed herein are not intended to be exhaustive or to limit thepresent disclosure to the precise forms that are disclosed in the abovedetailed description. Rather, the described embodiments have beenselected so that others skilled in the art may utilize their teachings.Accordingly, no limitation of the scope of the present disclosure isthereby intended.

In any instances in this disclosure, including in the claims, in whichnumeric modifiers such as first, second, and third are used in referenceto components, data (e.g., values, identifiers, parameters, and/or thelike), and/or any other elements, such use of such modifiers is notintended to denote or dictate any specific or required order of theelements that are referenced in this manner. Rather, any such use ofsuch modifiers is intended to assist the reader in distinguishingelements from one another, and should not be interpreted as insistingupon any particular order or carrying any other significance, unlesssuch an order or other significance is clearly and affirmativelyexplained herein.

Moreover, consistent with the fact that the entities and arrangementsthat are described herein, including the entities and arrangements thatare depicted in and described in connection with the drawings, arepresented as examples and not by way of limitation, any and allstatements or other indications as to what a particular drawing“depicts,” what a particular element or entity in a particular drawingor otherwise mentioned in this disclosure “is” or “has,” and any and allsimilar statements that are not explicitly self-qualifying by way of aclause such as “In at least one embodiment,” and that could therefore beread in isolation and out of context as absolute and thus as alimitation on all embodiments, can only properly be read as beingconstructively qualified by such a clause. It is for reasons akin tobrevity and clarity of presentation that this implied qualifying clauseis not repeated ad nauseum in this disclosure.

In the present disclosure, various terminology is used in accordancewith provided definitions. Furthermore, it is noted in connection withthe definitions set out herein that the defined terms and phrases asused herein include the provided definitions along with any general andconventional understandings of the meaning of the respective terms andphrases.

It is further noted that, as used in this specification and in theappended claims, the singular forms “a,” “an,” and “the” include pluralreferents unless the context clearly dictates otherwise.

As used herein, the terms “comprising,” “including,” “containing,”“characterized by,” and grammatical equivalents thereof are inclusive,open-ended terms that do not exclude additional, unrecited elements,method steps, or the like.

Many of the functional units described in this specification may beimplemented as one or more components, which is a term used to moreparticularly emphasize their implementation independence. For example, acomponent may be implemented as a hardware circuit including custom verylarge-scale integration (VLSI) circuits or gate arrays, off-the-shelfsemiconductors such as logic chips, transistors, and/or other discretecomponents. A component may also be implemented in programmable hardwaredevices such as field programmable gate arrays (FPGAs), programmablearray logic, programmable logic devices, and/or the like.

Components may also be implemented in software for execution on varioustypes of hardware (e.g., by various types of processors). An identifiedcomponent of executable code may, for instance, include one or morephysical or logical blocks of computer instructions, which may, forinstance, be organized as an object, a procedure, or a function.Nevertheless, the executable instructions of an identified componentneed not be physically located together but may include disparateinstructions stored in different locations that, when joined logicallytogether, make up the component and achieve the stated purpose for thecomponent.

Indeed, a component of executable code may be a single instruction, ormany instructions, and may be distributed over several different codesegments, among different programs, and across several memory devices.Similarly, operational data may be identified and illustrated hereinwithin components and may be embodied in any suitable form and organizedwithin any suitable type of data structure. The operational data may becollected as a single data set or may be distributed over differentlocations including over different storage devices, and may exist, atleast partially, merely as electronic signals on a system or network.The components may be passive or active, including agents operable toperform desired functions.

Reference throughout this specification to “an example” means that afeature, structure, or characteristic described in connection with theexample is included In at least one embodiment of the presentdisclosure. Thus, appearances of the phrase “in an example” in variousplaces throughout this specification are not necessarily all referringto the same embodiment.

As used herein, a plurality of items, structural elements, compositionalelements, and/or materials may be presented in a common list forconvenience. However, these lists should be construed as though eachmember of the list is individually identified as a separate and uniquemember. Thus, no individual member of such list should be construed as ade facto equivalent of any other member of the same list solely based onits presentation in a common group without indications to the contrary.In addition, various embodiments and examples of the present disclosuremay be referred to herein along with alternatives for the variouscomponents thereof. It is understood that such embodiments, examples,and alternatives are not to be construed as de facto equivalents of oneanother but are to be considered as separate and autonomousrepresentations of the present disclosure.

Although the foregoing has been described in some detail for purposes ofclarity, it will be apparent that certain changes and modifications maybe made without departing from the principles thereof. It should benoted that there are many alternative ways of implementing both theprocesses and apparatuses described herein. Accordingly, the presentembodiments are to be considered illustrative and not restrictive.

Those having skill in the art will appreciate that many changes may bemade to the details of the above-described embodiments without departingfrom the underlying principles of the disclosure. The scope of thepresent disclosure should, therefore, be determined only by the claims.

1. A method comprising: authenticating, by a database platformcomprising at least one hardware processor, a system user for access viaan application to a database associated with a customer account of thedatabase platform, the system user being an automated user that isdefined as a first object in a first account-level namespace of thecustomer account, the first account-level namespace being distinct froma default account-level namespace of the customer account; and detectingthat a first user in the customer account has performed, and receivedquery results of, a query on the database, the first user being definedas a first object in the default account-level namespace and associatedwith a human user, and responsively: downloading, as the system user viathe application, the query results; storing, as the system user via theapplication, the query results in a first-namespace stage, thefirst-namespace stage being defined as a second object in the firstaccount-level namespace; and providing access to the stored queryresults to one or more users via a user interface of the application. 2.The method of claim 1, wherein authenticating the system user for accessvia the application to the database comprises providing credentials forthe system user from the application to the database platform.
 3. Themethod of claim 1, wherein objects in the first account-level namespaceare not visible to objects in the default account-level namespace. 4.The method of claim 1, further comprising conducting, as the systemuser, a database session with respect to the database, the conducting ofthe database session comprising conducting one or more databasetransactions on the database, the conducting of the one or more databasetransactions on the database comprising sending a second query to thedatabase.
 5. The method of claim 4, wherein the database session isbound to the system user and to the first account-level namespace. 6.The method of claim 1, further comprising, also in response to thedetecting, connecting as the system user to the database platform toopen a database session, wherein the downloading of the query resultsoccurs during the database session.
 7. (canceled)
 8. The method of claim4, further comprising providing access to query results of the secondquery to one or more users via the user interface of the application. 9.The method of claim 1, further comprising modifying, as the system user,one or more objects in the first account-level namespace.
 10. The methodof claim 1, wherein the system user has granted thereto anadministrative role for the application, the administrative role for theapplication not being owned by an administrative role for the customeraccount.
 11. A database platform comprising: at least one hardwareprocessor; and one or more computer-storage media containinginstructions that, when executed by the at least one hardware processor,cause the at least one hardware processor to perform operationscomprising: authenticating a system user for access via an applicationto a database associated with a customer account of the databaseplatform, the system user being an automated user that is defined as afirst object in a first account-level namespace of the customer account,the first account-level namespace being distinct from a defaultaccount-level namespace of the customer account; and detecting that afirst user in the customer account has performed, and received queryresults of, a query on the database, the first user being defined as afirst object in the default account-level namespace and associated witha human user, and responsively: downloading, as the system user via theapplication, the query results; storing, as the system user via theapplication, the query results in a first-namespace stage, thefirst-namespace stage being defined as a second object in the firstaccount-level namespace; and providing access to the stored queryresults to one or more users via a user interface of the application.12. The database platform of claim 11, wherein authenticating the systemuser for access via the application to the database comprises providingcredentials for the system user from the application to the databaseplatform.
 13. The database platform of claim 11, wherein objects in thefirst account-level namespace are not visible to objects in the defaultaccount-level namespace.
 14. The database platform of claim 11, theoperations further comprising conducting, as the system user, a databasesession with respect to the database, the conducting of the databasesession comprising conducting one or more database transactions on thedatabase, the conducting of the one or more database transactions on thedatabase comprising sending a second query to the database.
 15. Thedatabase platform of claim 14, wherein the database session is bound tothe system user and to the first account-level namespace.
 16. Thedatabase platform of claim 11, the operations further comprising, alsoin response to the detecting, connecting as the system user to thedatabase platform to open a database session, wherein the downloading ofthe query results occurs during the database session.
 17. (canceled) 18.The database platform of claim 14, the operations further comprisingproviding access to query results of the second query to one or moreusers via the user interface of the application.
 19. The databaseplatform of claim 11, the operations further comprising modifying, asthe system user, one or more objects in the first account-levelnamespace.
 20. The database platform of claim 11, wherein the systemuser has granted thereto an administrative role for the application, theadministrative role for the application not being owned by anadministrative role for the customer account.
 21. One or morecomputer-storage media containing instructions that, when executed by atleast one hardware processor of a database platform, cause the at leastone hardware processor to perform operations comprising: authenticatinga system user for access via an application to a database associatedwith a customer account of the database platform, the system user beingan automated user that is defined as a first object in a firstaccount-level namespace of the customer account, the first account-levelnamespace being distinct from a default account-level namespace of thecustomer account; and detecting that a first user in the customeraccount has performed, and received query results of, a query on thedatabase, the first user being defined as a first object in the defaultaccount-level namespace and associated with a human user, andresponsively: downloading, as the system user via the application, thequery results; storing, as the system user via the application, thequery results in a first-namespace stage, the first-namespace stagebeing defined as a second object in the first account-level namespace;and providing access to the stored query results to one or more usersvia a user interface of the application.
 22. The one or morecomputer-storage media of claim 21, wherein authenticating the systemuser for access via the application to the database comprises providingcredentials for the system user from the application to the databaseplatform.
 23. The one or more computer-storage media of claim 21,wherein objects in the first account-level namespace are not visible toobjects in the default account-level namespace.
 24. The one or morecomputer-storage media of claim 21, the operations further comprisingconducting, as the system user, a database session with respect to thedatabase, the conducting of the database session comprising conductingone or more database transactions on the database, the conducting of theone or more database transactions on the database comprising sending asecond query to the database.
 25. The one or more computer-storage mediaof claim 24, wherein the database session is bound to the system userand to the first account-level namespace.
 26. The one or morecomputer-storage media of claim 21, the operations further comprising,also in response to the detecting, connecting as the system user to thedatabase platform to open a database session, wherein the downloading ofthe query results occurs during the database session.
 27. (canceled) 28.The one or more computer-storage media of claim 24, the operationsfurther comprising providing access to query results of the second queryto one or more users via the user interface of the application.
 29. Theone or more computer-storage media of claim 21, the operations furthercomprising modifying, as the system user, one or more objects in thefirst account-level namespace.
 30. The one or more computer-storagemedia of claim 21, wherein the system user has granted thereto anadministrative role for the application, the administrative role for theapplication not being owned by an administrative role for the customeraccount.